Drupal has had a bad first half of 2018 regarding security. Following Drupalgeddon 2 and the botnet exploits came a smaller update. This is now followed with a critical vulnerability (SA-CORE-2018-004) that allows remote code execution. The commit showing the made patches to Drupal 8.x is available online: https://github.com/drupal/drupal/commit/e116f8d39efc8bc7ac9065007480a2f45bd734ea#diff-7bff52b3a152bd658c6b6ec3f48c13fd
The flaw exists in the Drupal core package in all supported versions of Drupal, eg. 7.x and 8.x releases. This vulnerability allows attackers to exploit Drupal powered sites from numerous attack vectors. The end result being the site compromised as remote code can be executed, possibly giving unrestricted control to the hosting environment.
To make matters worse for Drupal security records, the vulnerability is being actively exploited hours after the patch was released by the Drupal core team. Regardless of how well the security team has worked to reveal these, it’s up to the community of users using Drupal to upgrade.
All in all the string of vulnerabilities in Drupal makes a dent in the reputation of Drupal. Earlier in 2015 the Drupalgeddon vulnerability played a part in the Panama Papers leak and Cambridge Analytica also continues to run vulnerable Drupal. Nowadays Drupal is mostly marketed as a robust enterprise tool for markets to hold critical data. With the codebase being shown to be exploitable week after week, it’s questionable if it can be considered as a tool to hold sensitive data.
Especially as GDPR regulations safe guarding privacy come into play. As a result, large enterprises using Drupal could end up paying fines up to 20 Million euros for using an unsecured Drupal installation. The price of free, unmaintained Open Source can come at a high price to organisations not competent in maintaining or purchasing maintenance Drupal.
More information on the vulnerability and how to protect from being exploited on Drupal security blog: https://www.drupal.org/sa-core-2018-004